openinx commented on a change in pull request #336: HBASE-22580 Add a table
attribute to make user scan snapshot feature configurable for table
URL: https://github.com/apache/hbase/pull/336#discussion_r298155797
##########
File path:
hbase-server/src/main/java/org/apache/hadoop/hbase/security/access/SnapshotScannerHDFSAclHelper.java
##########
@@ -447,28 +458,80 @@ private void setTableAcl(TableName tableName,
Set<String> users)
.collect(Collectors.toList());
}
+ /**
+ * Return users with global read permission
+ * @return users with global read permission
+ * @throws IOException if an error occurred
+ */
+ private Set<String> getUsersWithGlobalReadAction() throws IOException {
+ return
getUsersWithReadAction(PermissionStorage.getGlobalPermissions(conf));
+ }
+
/**
* Return users with namespace read permission
* @param namespace the namespace
+ * @param includeGlobal true if include users with global read action
* @return users with namespace read permission
* @throws IOException if an error occurred
*/
- private Set<String> getUsersWithNamespaceReadAction(String namespace) throws
IOException {
- return PermissionStorage.getNamespacePermissions(conf,
namespace).entries().stream()
- .filter(entry -> entry.getValue().getPermission().implies(READ))
- .map(entry -> entry.getKey()).collect(Collectors.toSet());
+ Set<String> getUsersWithNamespaceReadAction(String namespace, boolean
includeGlobal)
+ throws IOException {
+ Set<String> users =
+ getUsersWithReadAction(PermissionStorage.getNamespacePermissions(conf,
namespace));
+ if (includeGlobal) {
+ users.addAll(getUsersWithGlobalReadAction());
+ }
+ return users;
}
/**
* Return users with table read permission
* @param tableName the table
+ * @param includeNamespace true if include users with namespace read action
+ * @param includeGlobal true if include users with global read action
* @return users with table read permission
* @throws IOException if an error occurred
*/
- private Set<String> getUsersWithTableReadAction(TableName tableName) throws
IOException {
- return PermissionStorage.getTablePermissions(conf,
tableName).entries().stream()
- .filter(entry -> entry.getValue().getPermission().implies(READ))
- .map(entry -> entry.getKey()).collect(Collectors.toSet());
+ Set<String> getUsersWithTableReadAction(TableName tableName, boolean
includeNamespace,
+ boolean includeGlobal) throws IOException {
+ Set<String> users =
+ getUsersWithReadAction(PermissionStorage.getTablePermissions(conf,
tableName));
+ if (includeNamespace) {
+ users
+
.addAll(getUsersWithNamespaceReadAction(tableName.getNamespaceAsString(),
includeGlobal));
+ }
+ return users;
+ }
+
+ private Set<String>
+ getUsersWithReadAction(ListMultimap<String, UserPermission>
permissionMultimap) {
+ return permissionMultimap.entries().stream()
+ .filter(entry -> checkUserPermission(entry.getValue())).map(entry ->
entry.getKey())
+ .collect(Collectors.toSet());
+ }
+
+ private boolean checkUserPermission(UserPermission userPermission) {
+ boolean result = containReadAction(userPermission);
+ if (result && userPermission.getPermission() instanceof TablePermission) {
+ result = checkTablePermissionHasNoCfOrCq((TablePermission)
userPermission.getPermission());
+ }
+ return result;
+ }
+
+ boolean containReadAction(UserPermission userPermission) {
+ return userPermission.getPermission().implies(Permission.Action.READ);
+ }
+
+ boolean checkTablePermissionHasNoCfOrCq(TablePermission tablePermission) {
+ return !tablePermission.hasFamily() && !tablePermission.hasQualifier();
+ }
+
+ boolean isTableUserScanSnapshotEnabled(TableDescriptor tableDescriptor) {
+ String value = tableDescriptor.getValue(USER_SCAN_SNAPSHOT_ENABLE);
+ if (value != null && value.equals("true")) {
Review comment:
Just :
```
return Boolean.valueOf(value) ?
```
----------------------------------------------------------------
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
For queries about this service, please contact Infrastructure at:
[email protected]
With regards,
Apache Git Services
